Re: snort3 alert_json appid fields

[Noah Dietrich <noah_dietrich () 86penny org>]

Costas,
if you're adding fields to the alert_json output, can I ask that you look
at including all the information from the rules file as well?
> From a SIEM integration viewpoint, it means that each record in the json
file is complete with supporting information about the event, and i don't
have to cludge some sort of workaround to pull data from the rules files
(say to show the references with the rule, or the metadata).  Since the
user chooses which fields to write to the JSON file in their snort.lua
file's option, it will make it easier to display events.

thanks
Noah


On Sun, Aug 2, 2020 at 12:23 AM Costas Kleopa (ckleopa) via Snort-devel <
snort-devel () lists snort org> wrote:

> Currently we do this by the IPS rules and the appid rule option.
>
> There are also some upcoming enhancements which we plan to discuss a
> better alternative, on a new blog coming up soon so keep an eye for that
> too.
>
> Thanks,
> Costas
>
> > On Aug 1, 2020, at 10:03 AM, Özkan KIRIK via Snort-devel <
> snort-devel () lists snort org> wrote:
> > 
> > Hello,
> >
> > Is it possible to log the detected appId ? I couldn't find any related
> field names for alert_json in manual.
> > Regards
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel () lists snort org
> > https://lists.snort.org/mailman/listinfo/snort-devel
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!